Credential Stuffing vs Password Spraying

29. October 2020

At my employer we use Office 365. I’m not an Microsoft advocate. My friends and colleagues rather know me as Apple-Fanboy and BSD-Geek. But I have to admit that Office 365 works good enough. Even in these pandemic times when we work from home Teams and such serves very well. As part of our security team we also encounter attacks against our user accounts. Maybe you read about that in the press: There are credential stuffing and password spray attacks going on this year against Office 365 accounts.…more

AuthN vs AuthZ

23. October 2020

When you do some “login stuff” nowadays you may stumbled upon the terms AuthN and AuthZ. Maybe you wondered what these “N” and “Z” means? Short answer: AuthN stands for Authentication, and AuthZ stands for Authorization. That’s easy right? We’re done for this blog post 🙃 Authentication vs. Authorization But what is the difference of these two terms? Is it not the same? Short answer: No, it isn’t!…more

OAuth 2.0 Implicit Flow Considered Harmful

8. October 2020

Certainly I’m not the only one writing into the web that OAuth 2.0 Implicit Flow is bad for security reasons and deprecated by OAuth 2.0 Best Current Practices and OAuth 2.1. But this can’t be said enough times. So I’ll try my best! This post is a guide for people facing situations where random dudes asking “Why should I bother? See, Microsoft is recommending it!” After reading this post you can tell them why it is a bad idea to use implicit flow.…more

Improve Your Documentation With Russian Roulette

21. September 2020

As software dudes we write documentation. Of course we do. Most of the time we write some API docs (JavaDoc or such) in the source code. This is not a big deal in my opinion. You do this as well as writing code and tests. Also you review this regularly within the normal code reviews. Yeah, code reviews are something normal in my world! But some times we’re urged to write some documentation outside of the source code.…more

Hide and Seek in TXT Records

18. September 2020

Did you ever wondered how the “bad guys” cover things? Some time ago John Ferrell wrote about how to hide malicious code in files looking like a good old plain text log file. Last month (August 2020) John Hammond wrote a part two. In this part he’s showing how they download additional payloads from the internet under the radar. It’s quite simple, if you know. What’s the Problem with Payloads So if you are writing malware you face the same problem as any software developer: You want to ship updates.…more

Frauenquote

29. May 2020

Disclaimer: Ich bin ein Mann und eigentlich sollten wir Männer bei diesem Thema gepflegt die Fresse halten, weil wir nicht betroffen sind! Warum schreibe ich jetzt trotzdem etwas dazu? Letztens hat mein Arbeitskollege Stefan Rauch über das Thema Frauenquote geschrieben. Woraufhin ich kommentierte dass es meiner Meinung nach nur mit Quote gehen wird: Leider funktioniert es nur mit Quote. Das zeigt ja schon alleine wie wenig sich in den letzten Jahrzehnten getan hat.…more

Please Use Semantic Versioning

22. May 2020

TL;DR Please use Semantic Versioning and please use it right! This is a little rant about tools, libs and frameworks not using Semantic Versioning. This morning I was triggered on Twitter by the announcement of Terraform version 0.13. My first thought was: WTF! Why are you still at 0.x with a software widely used in production? Disclaimer: I use Terraform by my self and I like it. Scrolling through my time line I saw various other announcements like 0.…more

My Opinion on Zoom

15. May 2020

TL;DR: Do not use Zoom at all! If you have to: Use it on iOS or in the browser. Nowadays we use lots of video conferencing to practice physical distancing. A major player in the field is Zoom. One reason for that is the fact that they have a good software quality. At least on the surface it looks like they have. Because the inner software quality seems not that good.…more

Hardening Your SSHd With Ansible

8. May 2020

Disclaimer: This is not a beginner tutorial. You should have a brief understanding and some experiences with Linux and Ansible. Whenever you run a server in the wild wild web you should harden your SSHd setup. If you wonder why you should do that, then spin up a machine with enabled SSHd and watch the logs: Usually it takes only few minutes until the first scans and brute force attacks showing up in the logs.…more

It Is Not Just the Flu

30. April 2020

There are lot of opinions out there about SARS-CoV2 (aka. Corona). Lots of them stating that COVID-19 (the disease of a SARS-CoV2 infection) is not more than just the good ol’ flu. But this opinion is BS! Although I’m more a technical guy interested in computer stuff and security I feel the urge to say some words about this topic to provide an opposite pole. Because this ill-informed opinion SARS-CoV2 is just like the flu threatens the security of the health of my family, friends and me!…more